Microsoft Changes Tune on IE7 Vulnerability

Reversing its initial assessment, Microsoft on Wednesday acknowledged that it needs to fix a vulnerability in its Internet Explorer 7 Web browser that could allow malicious Web sites to install unwanted software on Windows XP and Windows Server 2003 machines.

Evidence of the flaw first surfaced in June, and not long after Firefox browser maker Mozillashipped a security update to fix a problem wherein a nasty Web site could use the mere existence of IE7 on a Windows machine to force Firefox to launch pretty much any application already installed on Windows, simply by convincing the user to click on a specially crafted link.

Mozilla said its update prevented the Windows flaw from using Firefox as the vehicle for hacking a vulnerable system, but that the nature of the vulnerability meant that attackers could force pretty much any other Windows software application to open up a virtual backdoor on PCs and let bad guys install malicious software of their choosing.

Microsoft maintained for months that this was not the result of a Windows design flaw. Throughout, Microsoft's stance was that it had "thoroughly investigated the claim of a vulnerability in Internet Explorer and found that this is not a vulnerability in a Microsoft product."

Fast-forward to Wednesday, when the company issued a security bulletin essentially acknowledging that Mozilla's initial prognosis was correct, at least for "supported editions of Windows XP and Windows Server 2003 with Windows Internet Explorer 7 installed." Interestingly, Microsoft says this vulnerability does not affect IE7 on Windows Vista, IE6 or earlier versions on Windows XP.

Microsoft concedes that attackers could exploit this flaw merely by convincing a Windows user to click on a link in an e-mail. The company says it is not aware of any malicious Web sites actively exploiting this vulnerability and that it is crafting a security update to plug this security hole.

But the sticky party here is that instructions showing criminals precisely how to exploit this flaw to break into Windows computers was posted online some time ago. Indeed, security provider Symantec warns that "with the ease of exploitation, the availability of public proof-of-concept code, and further attention that this vulnerability is receiving, it is likely this issue will begin to see more exploitation in the wild."

Not sure what "Eureka!" moment caused Microsoft to change its tune on this, but here's hoping they ship a fix before cyber crooks start exploiting the flaw for financial gain.

In other Windows vulnerability news, Symantec says it has seen evidence that cyber crooks are now exploiting a flaw in certain Microsoft Office file formats that could be used to compromise Windows PCs. While Microsoft on Tuesday shipped a software patch to fix this particular vulnerability, it is likely to remain unfixed on millions of Windows PCs for some time. That's because the group most at risk from this flaw are Office 2000 users. While Microsoft makes most security updates available through its Microsoft Update site, Office 2000 users must make a separate trip over to the Office Update site to download fixes. In a further complication, the default installation process for Office 2000 patches requires the user to have the original Office installation discs handy.

I use two PCs on a KVM-switch..one Pc uses XP-Home ED.(SP2)..the other is a Pc I built(intel)and uses XP-Pro(SP2)..I've been attempting Video Movies for some 5+ years now..I have just about everything a Amatuer Photographer could want/I've created some 100+ DVD-movies..I'm basically the family photographer--but really like to experiment..along the way I decided to use two PCs/1-PC(uses)Celeron D and the 2nd uses Pentium 4/I have managed much better having a PROJECT PC and a solitary Internet PC..McAFEE protects my Internet Projects--and--Microsoft Windows Firewall protects the Project PC for Video Production..this has run nearly flawless(except)that Video Production tends to run the PC(into the ground)OS/re-installs are the CLUTCH-operation/software reinstalls are necessary..but my Video Files are quite good for the amount of money I actually spend..I have read about alot of PCs that have problems..and have never heard the word(PC ADMINISTRATOR)used..also the use of PCs as Video Arcades seems to have forced a FALSE impression of PCs into VIEW..basically I have found that being a PC ADMINISTRATOR is the success level of going long range on PC-technology-and GOALS..Parts List,,LOGS,,Reciepts,,understanding the aspect of a consumers market in the PC-world..many things are NULL-on development..BASIC may be an out-dated term for Funtionality and Hardware/but ORIGINAL CONFIGURATION surfaces many times in my travels..I use it liberally..in the sense that PCs are trouble-some..I would say that OFFICE Products are very difficult compared to Digital Media..and the newer PCs seem to attempt to collect the two into a SINGLE-system..this I have avoided by useing a KVM-switch.

I remember this issue very well, we found out the our proprietary software vendor was using this vulnerability to view reports, etc. via their Java based application. After Firefox was patched, the view feature no longer worked and we had to either make significant changes to the registry to make it work or lock out updates to future versions of Firefox. We decided to lockout updates until we replace the application with something better.

Although I use Firefox on my WindowsXP, I can't seem to update to IE7 properly. My computer freezes every time I install IE7. So I've removed the icon so no one else can access it easily. My concern is that when I want to do updates for Office, for example, it's the IE6 browser that opens, something I don't want. I do get automatic updates from MS, but don't know if they apply to Office or Excel. Any idea of how to update to IE7?

I was uploading lots of Vid Files to a website which eventually corrupted my OS and ISP..during the Re-Install of everything I completed everything and went to check on IE...well it was IE6...why did IE7 not install during Microsoft UPDATE....??...I went to www.microsoft.com/...to CLICK the IE7 Link and it stalled w/2MBs left to INSTALL(I used the RUN-command)...IE7 is a 14.7MB Size File...well at an earlier time I did CLICK-the-SAVE-command and have a IE7 File on hand in Storage...it LOADED and runs as usual(just great)....So..I would suggest you do a SAVE on the Download and then use RUN-later.

Microsoft is patching a bug in ShellExecute() and NOT anything that relates to 3rd party protocols.

Read this snippet:
"With Internet Explorer 7 installed, the flow is a bit different. IE7 began to do more validation up front to reject malformed URI's. When this malformed URI with a % was rejected by IE7, ShellExecute() tries to "fix up" the URI to be usable. During this process, the URI is not safely handled. IE7 rejects the URI, and on Windows Vista ShellExecute() gracefully rejects the URI. That's not the case on the older versions of Windows like Windows XP and Windows Server 2003 when IE7 is installed"

Yep!, my computer is invaded with spyware using Office programs, Illustrator, and others... My private folders have been turned available to all users without consent, and I cannot change it...Being redirected to who knows where...Many of My Documents done on Word have changed to another format...Some of My Favorites simply disappear...Free Dr. Spyware, AntispywareBot do not delete and persistently pop-up and/or are used to track and print My Documents and computer activities. Under REMOVE PROGRAMS they appear indicating they do not exist. However, under SEARCH I do find files under their names on My Documents, Windows Updates, and others. I've even found Task file assigned to them on a daily basis. If I try deleting the several files under these "unexisting" programs, suddenly the rest change to a different format created with unidentified programs and computer or internet might go crazy...\

Please share some advice. I will also check tomorrow this wonderful-just-discovered blog to see if there is already any info that may be helpful.

While having no love for Mr Ballmer, I find the sock-puppet fake Ballmer posts distinctly offensive. Mr Krebs, I'm surprised you've allowed them to stand; I thought the policy was not to allow posting under false identities.